tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPsec vs ssh

Darren Reed <> writes:

> The man page for setkey seems to suggest that there is a priority
> mechanism that would allow me to create a "none" SPD for ssh
> packets but setkey on NetBSD doesn't support this. If I understand
> correctly, if it was present then I would do something like this:
> spdadd A.B.C.D/32 E.F.G.0/24 any -P in priority low ipsec
> esp/tunnel/A.B.C.D-E.F.G.H/require;
> spdadd E.F.G.0/24 A.B.C.D/32 any -P out priority low ipsec
> esp/tunnel/E.F.G.H-A.B.C.D/require;
> spdadd A.B.C.D/32[22] E.F.G.0/24[any] tcp -P in priority high none;
> spdadd E.F.G.0/24[any] A.B.C.D/32[22] tcp -P out priority high none;

I have only skimmed this rather huge (and surprisingly contentious)

Two points about your policies:

  They have to match on both ends, inversely.

  I believe it's first match, not last match.  I am unaware of NetBSD
  supporting priority on policies, and I haven't read the recent specs,
  but I wasn't aware of that being in the RFCs (although it's arguably a
  local matter).

To debug this, besides tcpdump, use netstat -p before and after trying,
to see which counters are going up.

So basically, put the ssh rules first, and then the generic rules.

It's still mysterious why ssh owuld fail with a working tunnel.  (That
you want ssh excluded so you can use it to fix the other side of tunnels
is understandable.)

Attachment: pgpLIiK4Uf2Xe.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index